FAQ
About a year ago I set up 3 lists. I was fairly certain I set
up 2 of the lists as private and 1 as public. A couple weeks ago
we discovered that all three were set to public (looking in the web
admin interface). Now I'm not certain if somehow I didn't originally set
them private. We've upgraded Mailman at least once in this time, not
sure if that could possibly have affected the settings but I should think
it unlikely.

Anyway, we then toggled the 2 lists we wanted back to private, but
searching Google I am able to find a couple posts. Additionally, going
to the Mailman-run web site for one of the mailing lists (the page
people can subscribe from or view the archives, etc), when one clicks
one the Archives, one isn't prompted
for authentication and just gets the /mailman/private/list archive pages
(listed by month: thread/author/subject/date) and one is able to click
and read the archives.

I attempted to rebuild the archives with the arch command but that
appears to not have the desired affect.

Running check_perms showed that the /private archives had the +x for
'other' set so I toggled that to -x.

I can still go to the list archives page and view the private archives
though.

I was wondering what the best way to limit viewing of these pages from
the outside public but allow list members to still have access to the
archives is.

Is there something obvious I am missing?

Search Discussions

  • Mark Sapiro at May 1, 2006 at 10:39 pm

    Michael Urashka wrote:
    About a year ago I set up 3 lists. I was fairly certain I set
    up 2 of the lists as private and 1 as public.

    I assume you're talking about archives here.

    A couple weeks ago
    we discovered that all three were set to public (looking in the web
    admin interface). Now I'm not certain if somehow I didn't originally set
    them private. We've upgraded Mailman at least once in this time, not
    sure if that could possibly have affected the settings but I should think
    it unlikely.

    Upgrading Mailman shouldn't change a list's archive from private to
    public or vice versa. I haven't heard of this failing.

    Anyway, we then toggled the 2 lists we wanted back to private, but
    searching Google I am able to find a couple posts.

    The posts were indexed in Google while the archive was public, but with
    a 'pipermail' URL that won't work. They will eventually disappear from
    Google.

    Additionally, going
    to the Mailman-run web site for one of the mailing lists (the page
    people can subscribe from or view the archives, etc), when one clicks
    one the Archives, one isn't prompted
    for authentication and just gets the /mailman/private/list archive pages
    (listed by month: thread/author/subject/date) and one is able to click
    and read the archives.

    Most likely because you previously authorized as the list admin (or a
    list member) during that browser session and still have the
    authorization cookie.

    I attempted to rebuild the archives with the arch command but that
    appears to not have the desired affect.

    Running check_perms showed that the /private archives had the +x for
    'other' set so I toggled that to -x.

    This will probably break access to your remainin public archive via the
    'pipermail' URL. If it doesn't, that's great - leave it o-x, but I
    think you'll probably need to put it back to o+x to access public
    archives via the 'pipermail URL.

    I can still go to the list archives page and view the private archives
    though.

    o+x or o-x on the archives/private directory will have no effect on
    private archive access. I still think you are able to access the
    private archive without authorizing because of a saved cookie from
    prior authorization in the browser session.

    I was wondering what the best way to limit viewing of these pages from
    the outside public but allow list members to still have access to the
    archives is.

    Making the archive private should do it.

    Is there something obvious I am missing?

    The cookie.

    --
    Mark Sapiro <msapiro at value.net> The highway is for gamblers,
    San Francisco Bay Area, California better use your sense - B. Dylan
  • Dragon at May 1, 2006 at 10:57 pm

    Mark Sapiro sent the message below at 15:39 5/1/2006:

    Anyway, we then toggled the 2 lists we wanted back to private, but
    searching Google I am able to find a couple posts.
    The posts were indexed in Google while the archive was public, but with
    a 'pipermail' URL that won't work. They will eventually disappear from
    Google.
    ---------------- End original message. ---------------------

    Just as an FYI for anyone in this predicament, you can request that
    Google remove certain URLs from their search index without having to
    wait for the links to expire in a normal Google index cycle.

    I'm not sure of the exact mechanism to do this but I do seem to
    recall that they will process the request within 48 hours.

    Dragon

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Venimus, Saltavimus, Bibimus (et naribus canium capti sumus)
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  • Michael Urashka at May 10, 2006 at 10:29 pm

    Additionally, going
    to the Mailman-run web site for one of the mailing lists (the page
    people can subscribe from or view the archives, etc), when one clicks
    one the Archives, one isn't prompted
    for authentication and just gets the /mailman/private/list archive pages
    (listed by month: thread/author/subject/date) and one is able to click
    and read the archives.
    Most likely because you previously authorized as the list admin (or a
    list member) during that browser session and still have the
    authorization cookie.

    Making the archive private should do it.
    This indeed seemed to be the case! Two systems we had been accessing the
    lists from both had the authentication cookie. Deleting all cookies and
    trying to access the :

    http://www.somewebsite.com/mailman/private/somelist

    Now prompts for email address and password. Many thanks.

    ###

    One last current issue though. Currently going directly to a page
    like this still lets me in after deleting cookies of course.

    http://www.somesite.com/pipermail/somelist/2005-October/000003.html

    But these pages give a 'Forbidden' error:

    http://www.somesite.com/pipermail/
    http://www.somesite.com/pipermail/somelist/
    http://www.somesite.com/pipermail/somelist/2005-October/

    Looking in Apache's httpd.conf there's an alias for pipermail into:

    Alias /pipermail/ "/usr/local/mailman/archives/private/"

    Will changing this (or commenting it out) likely break access to any
    of the public lists on the same server? Having inherited these mailing
    lists and mailman and web server, I'm uncertain exactly how things were
    set up and should be.

    Or should I just put a .htaccess file (or directive in httpd.conf) in the
    /usr/local/mailman/archives/private/ directory?

    --
    Michael
  • Richard Barrett at May 10, 2006 at 10:58 pm

    On 10 May 2006, at 23:29, Michael Urashka wrote:

    Additionally, going
    to the Mailman-run web site for one of the mailing lists (the page
    people can subscribe from or view the archives, etc), when one
    clicks
    one the Archives, one isn't prompted
    for authentication and just gets the /mailman/private/list
    archive pages
    (listed by month: thread/author/subject/date) and one is able to
    click
    and read the archives.
    Most likely because you previously authorized as the list admin (or a
    list member) during that browser session and still have the
    authorization cookie.

    Making the archive private should do it.
    This indeed seemed to be the case! Two systems we had been
    accessing the
    lists from both had the authentication cookie. Deleting all cookies
    and
    trying to access the :

    http://www.somewebsite.com/mailman/private/somelist

    Now prompts for email address and password. Many thanks.

    ###

    One last current issue though. Currently going directly to a page
    like this still lets me in after deleting cookies of course.

    http://www.somesite.com/pipermail/somelist/2005-October/000003.html

    But these pages give a 'Forbidden' error:

    http://www.somesite.com/pipermail/
    http://www.somesite.com/pipermail/somelist/
    http://www.somesite.com/pipermail/somelist/2005-October/

    Looking in Apache's httpd.conf there's an alias for pipermail into:

    Alias /pipermail/ "/usr/local/mailman/archives/private/"
    This should probably read:

    Alias /pipermail/ "/usr/local/mailman/archives/public/"
    Will changing this (or commenting it out) likely break access to any
    of the public lists on the same server? Having inherited these mailing
    lists and mailman and web server, I'm uncertain exactly how things
    were
    set up and should be.

    Or should I just put a .htaccess file (or directive in httpd.conf)
    in the
    /usr/local/mailman/archives/private/ directory?

    --
    Michael
  • Mark Sapiro at May 11, 2006 at 6:27 am

    Richard Barrett wrote:
    On 10 May 2006, at 23:29, Michael Urashka wrote:


    But these pages give a 'Forbidden' error:

    http://www.somesite.com/pipermail/
    http://www.somesite.com/pipermail/somelist/
    http://www.somesite.com/pipermail/somelist/2005-October/

    Looking in Apache's httpd.conf there's an alias for pipermail into:

    Alias /pipermail/ "/usr/local/mailman/archives/private/"
    This should probably read:

    Alias /pipermail/ "/usr/local/mailman/archives/public/"

    Richard is correct about this. It should definitely point to the
    public/ directory, not the private/ directory.

    Will changing this (or commenting it out) likely break access to any
    of the public lists on the same server?

    You don't want to comment it out as that will break all public archive
    access for sure. You need to make it as Richard says or you will be
    able to access private archives via the pipermail URL. Then, if that
    doesn't fix the problem, you need to remember this from my first reply
    in this thread.

    Running check_perms showed that the /private archives had the +x for
    'other' set so I toggled that to -x.

    This will probably break access to your remainin public archive via the
    'pipermail' URL. If it doesn't, that's great - leave it o-x, but I
    think you'll probably need to put it back to o+x to access public
    archives via the 'pipermail URL.


    --
    Mark Sapiro <msapiro at value.net> The highway is for gamblers,
    San Francisco Bay Area, California better use your sense - B. Dylan

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupmailman-users @
categoriespython
postedMay 1, '06 at 8:18p
activeMay 11, '06 at 6:27a
posts6
users4
websitelist.org

People

Translate

site design / logo © 2022 Grokbase